Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Toshio_Shiino
Participant

How to configure Check Point as WAF?


Hi,

We have heard that the Check Point can work as simple WAF.
We are thinking that it is a part of IPS. Becasue there is no WAF blade.

However we couldn't find any documents and information about it in SK or this check mate site.

Could you inform me of how to configure Check Point as WAF?

We know that OWASP Top 10 is renewed in 2017 as below.
--------------------------------------------
A1:2017-Injection
A2:2017-Broken Authentication
A3:2017-Sensitive Data Exposure
A4:2017-XML External Entities (XXE)
A5:2017-Broken Access Control
A6:2017-Security Misconfiguration
A7:2017-Cross-Site Scripting
A8:2017-Insecure Deserialization
A9:2017-Using Components with Known Vulnerabilities
A10:2017-Insufficient Logging&Monitoring
--------------------------------------------

We are thinking that the above each item is corresponded to a signature of IPS.

Regards,

14 Replies
G_W_Albrecht
Legend Legend
Legend

I would rather say that CP is more than a WAF - so to configure a CP GW as a WAF only you would have to disable FW, VPN and MOB as well as part of TP Smiley Happy...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Toshio_Shiino
Participant

Thank you for your comment.

I also think CP is better than WAF in a sense.

I'm concerned if it is necessary for us to customize some IPS signatures to address the OWASP Top 10.

I'd like to know concrete settings for WAF against the OWASP Top 10.

G_W_Albrecht
Legend Legend
Legend

I would talk that over with your local CP SE - OWASP Top 10 includes e.g. Authentication Broken, this can not be adressed by IPS signatures only 😉 Customizing IPS signatures themselves is not possible afaik, rather you can customize the IPS profile to fit your needs.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vincent_Bacher
Advisor
Advisor

Just check this https://www.checkpoint.com/downloads/OWASP%20Top%2010.pdf

Document released 2015, maybe there is a more recent one. Don't know.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
G_W_Albrecht
Legend Legend
Legend

That is a good answer !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Toshio_Shiino
Participant

Thank you for your information.

It is really helpful for me.

joeg
Employee Alumnus
Employee Alumnus

Charris_Lappas
Collaborator

This applies more on the IPS part but I do agree that to get the full benefits of total security all Blades on and on prevent!

Now as far as a Web Application Firewall the actual application needs to be learned in terms of values and variables. Only then you can lock down the application. For this there are specialised vendors offering solutions. But as said above it is a combination of everything.

From CP I just wanted to see some more customisation on IPS signatures like DNS and SSH tunneling... 

Thanks,

Charris 

0 Kudos
Vincent_Bacher
Advisor
Advisor

Indeed, using a cp is quiet different than using F5 ASM for instance, where you are able to allow/block all details like entry points of an application to parameters, cookies and so on.

But cp is much more secure than nothing 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Toshio_Shiino
Participant

Thank you for all.

I suppose that there are some differences than appliance designed for WAF.

So I'd like to exactly know that cp can not address which vulnerabilities and also which signatures I need to change to prevent/detect. That is why I posted this question into this community.

The best solution is to use both CP and WAF(dedicated product).

This means better leave it to the specialist...

Everyone know that, however due to budget, resource, strategy etc, there is a case customer can not buy both products. At that case, I want to say CP can address OWASP 10 of WAF area and recommend CP rather than WAF because CP has also other functions. 

But I don't know how to exactly set IPS signatures currently.Unfortunately, local SEs don't know that. 

I appreciate if someone inform me of the information.

Thanks,

0 Kudos
PhoneBoy
Admin
Admin

This is an updated version of something I put together previously for OWASP 2013.

It's accurate to the best of my knowledge and feedback is appreciated.

Note that to cover the majority of the Top 10, other Software Blades than IPS must also be used.

The exact name of the IPS protection will vary, but searching through the IPS signatures should identify the relevant signatures.

 

OWASP Top 10 (2017)

Description of Check Point Protection

A1 Injection

Check Point IPS Software Blade provides SQL injection, Command/Script injection and LDAP injection protection.

A2 Broken Authentication and Session Management

Check Point IPS blade offers protections against some known attacks on specific servers which exploit known authentication and session management vulnerabilities. Identity Awareness features can also be used for organizational applications intended for internal users.

A3 Sensitive Data Exposure

Check Point DLP and Content Awareness can be used to prevent sensitive data from 

A4 XML External Entities (XXE)

Check Point IPS Software Blade provides IPS protections that protect against attempts to exploit vulnerabilities in XML parsing of XML external entities.

A5 Broken Access Control

Check Point Identity Awareness can restrict access to specific URL.

A6 Security Misconfiguration

Check Point IPS Software Blade provides multiple signatures to address known PHP, ASP and other web engine exploits. Check Point also include signature that can limit the allowed HTTP methods to safe methods only and prevent unsafe methods such as WebDAV and others

A7 Cross-Site Scripting

Check Point IPS Software Blade provides XSS scripting protection.

A8 Insecure Deserialization

Check Point IPS Software Blade provides a number of signatures to protect against deserialization bugs in various implementations

A9 Using Components with Known Vulnerabilities

Network security products may only inspect the traffic that passes over the network. If the use of the vulnerable component results in unique traffic for that component, it may be identified regardless of the application that uses that component. However, if the vulnerable component is an infrastructure used in different ways by different applications, and does not result in distinct traffic that can be identified, it is outside the scope of a network security device.

A10 Insufficient Logging and Monitoring

Check Point SandBlast Agent on managed endpoints can aggregate logs and generate forensic reports when endpoints are compromised. Check Point Security Management exports security logs via industry-standard syslog to other log management solutions. Check Point SmartEvent can be used as an effective monitoring and alerting tool, including automated actions that occur in response to events.

 

James_Hall-Kenn
Explorer

Generally in scenarios like this, I have tended to use an open source / Check Point blend i.e. Apache/Nginx with mod_security as a reverse proxy and make sure that the traffic traverses the Check Point gateway after decryption (or use SSL interception).  This allows you to enforce IPS policies on the traffic and use mod_security for what it is good at i.e. web specific protocol enforcement.

You would need to be comfortable with open source for this to be effective.

  

You might be able to get a lightweight version of this using the Reverse Proxy functionality that is part of MAB depending on how complex your app is ... 

HeikoAnkenbrand
Champion Champion
Champion

Hello,

At the CPX in Vienna a WAF cooperation with RADWARE was presented.  Unfortunately I don't hear anything about it here.

With Check Point you can currently check some OWASP points.
I've been working with WAFˋs for years. From my point of view it is not a full WAF solution.

Here I miss a lot what other WAF manufacturers offer.

For example:
- Learning mode for web applications
- ways to manipulate web traffic (http redirects, rewrite urls,...)
- transparent proxy layer 2 solution
- proxy based load balancing

I think Check Point should provide a WAF blade in the future.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

FYI: Check Point WAF Infos!

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events